Detection rules examples

ACSC Advisory IOCs detection rules for Elastic SIEM

Kibana dashboard example visualizing the results of the Elastic SIEM detection engine

A collection of rules based on the Sigma detection rules for web server looks, e.g. apache, nginx or IIS.

A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.

A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.

A collection of rules based on the Sigma rules for Windows (process creation folder) based on Winlogbeat data .

A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .

A collection of rules based on the Sigma rules for AWS based on the Filebeat AWS module and Elastic agent integration.


More about Detection rules

If you are using the Elastic Stack you believe in the power of open source and understand the importance of community. The two core goals with Elastic Security are to stop large-scale threats and arm every analyst.

The Elastic Stack delivers 100s to 1000s of detection rules made by the Elastic Experts covering MITRE ATT&CK® techniques. However there is always room for improvement. On this page you find a collection of detection rules made by the community. Mainly influenced by the Sigma project.

With the help of this detection rule repository the goal is to provide Elastic Security users with the best detection that works across various data sources. It is using ECS as a great equalizer for patterns, making it possible to write rules that apply to multiple data sources at once.